arXiv: 1504.01995v2 [cs.DS] 29 Sep 2015 


Solving the Closest Vector Problem in 2” Time 
The Discrete Gaussian Strikes Again! 


Divesh Aggarwal* Daniel Dadush^t Noah Stephens-Davidowitz§^ 

Divesh.Aggarwal@epf1.ch dadush@cwi.nl noahsd@cs.nyu.edu 


Abstract 

We give a 2”+°(”htime and space randomized algorithm for solving the exact Closest Vector 
Problem (CVP) on n-dimensional Euclidean lattices. This improves on the previous fastest algo¬ 
rithm, the deterministic 0(4”)-time and 0(2”)-space algorithm of Micciancio and Voulgaris IIMV13I . 

We achieve our main resulf in fhree sfeps. Firsf, we show how fo modify fhe sampling algo- 
rifhm from I1ADRS15II fo solve fhe problem of discrefe Gaussian sampling over lattice shifts, £ — t, 
wifh very low paramefers. While fhe acfual algorifhm is a nafural generalizafion of HADRSISL 
fhe analysis uses subsfanfial new ideas. This yields a 2”+°(”htime algorifhm for approximafe CVP 
wifh fhe very good approximafion factor 7 = 1 -|- log”). Second, we show fhaf fhe approxi¬ 

mafe closesf vecfors fo a fargef vector t can be grouped info 'Tower-dimensional clusfers," and we 
use fhis fo obfain a recursive reducfion from exacf CVP fo a varianf of approximafe CVP fhaf "be¬ 
haves well wifh fhese clusfers." Third, we show fhaf our discrefe Gaussian sampling algorifhm 
can be used fo solve fhis varianf of approximafe CVP. 

The analysis depends crucially on some new properties of fhe discrefe Gaussian disfribufion 
and approximafe closesf vecfors, which mighf be of independenf inferesf. 

Keywords. Discrete Gaussian, Closest Vector Problem, Lattice Problems. 


1 Introduction 


A lattice C is the set of all integer combinations of linearly independent vectors bi,...,b„ CR”. The 
matrix B = (bi,..., b„) is called a basis of C, and we write £(B) for the lattice generated by B. 

The two most important computational problems on lattices are the Shortest Vector Problem 
(SVP) and the Closest Vector Problem (CVP). Given a basis for a lattice C C R”, SVP asks us to 
compute a non-zero vector in C of minimal length, and CVP asks us to compute a lattice vector 
nearest in Euclidean distance to a target vector t. 

Starting with the seminal work of |[LLL82| , algorithms for solving these problems either exactly 
or approximately have been studied intensely. Such algorithms have found applications in factor¬ 
ing polynomials over rationals iLLL821 , integer programming ILT83 [Kan87[ [DPVllI , cryptanaly¬ 
sis llOdl90l |JS98t INSOT] , checking the solvability by radicals ILM83I , and solving low-density subset- 
sum problems |CJL~*~92|. More recently, many powerful cryptographic primitives have been con¬ 


structed whose security is based on the worst-case hardness of these or related lattice problems | Ajt96 
|MR07ilGeh0^iReg09|[BVnllBLP+13[[BV14l. 


* Department of Computer Science, EPFL. 

’’’Centrum Wiskunde & Informatica, Amsterdam. 

tpunded by NWO project number 613.009.031 in the research cluster DIAMANT. 

§Courant Institute of Mathematical Sciences, New York University. 

'’’This material is based upon work supported by the National Science Foundation imder Grant No. CCF-1320188. Any 
opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not 
necessarily reflect the views of the National Science Foundation. 


1 







































In their exact forms, both problems are known to be NP-hard (although SVP is only known to be 
NP-hard under randomized reductions), and they are even hard to approximate to within a factor of 
j^o(i/iogiogji) u]-((jer reasonable complexity assumptions |ABSS93l |Ajt98[ ICN98llBS99l|DKRS0^IMic0ll 
lKho05i[HR12| . CVP is thought to be the "harder" of the two problems, as there is a simple reduction 
from SVP to CVP that preserves the dimension n of the lattice IIGMSS99I , even in the approximate 
case, while there is no known reduction in the other direction that preserves the dimensionj^ In¬ 
deed, CVP is in some sense nearly "complete for lattice problems," as there are known dimension¬ 
preserving reductions from nearly all important lattice problems to CVP, such as the Shortest Inde¬ 
pendent Vector Problem, Subspace Avoidance Problem, Generalized Glosest Vector Problem, and the 
Successive Minima Problem llMic08l . (The Lattice Isomorphism Problem is an important exception.) 
None of these problems has a known dimension-preserving reduction to SVP. 

Exact algorithms for GVP and SVP have a rich history. Karman initiated their study with an 
enumeration-based algorithm for GVP IIKan87l , and many others improved upon his tech¬ 

nique to achieve better running times IIHel85l[HS07[|MW15| . Since these algorithms solve GVP, they 
also imply solutions for SVP and all of the problems listed above. (Notably, these algorithms use only 
polynomial space.) 

For over a decade, these n®*^”)-time algorithms remained the state of the art until, in a ma¬ 
jor breakthrough, Ajtai, Kumar, and Sivakumar (AKS) published the first 2^(”)-time algorithm for 
SVP HAKSOll . The AKS algorithm is based on "randomized sieving," in which many randomly gen¬ 
erated lattice vectors are iteratively combined to create successively shorter lattice vectors. The work 
of AKS led to two major questions: First, can GVP be solved in 2®^”) time? And second, what is the 
best achievable constant in the exponent? Much work went into solving both of these problems using 
AKS's sieving technique IIAKSnillAKSn2llNTO[AJ08llBNn9llPSn9llMVini[HPST^ culminating in a 
0(2^'^^^”)-time algorithm for SVP and a 2®(”)(1 -|- l/ej'^^'^^-time algorithm for (1 -|- e)-approximate 
GVP. 


But, exact GVP is a much subtler problem than approximate GVP or exact SVP. In particular, for 
any approximation factor 7 > 1 , a target vector t can have arbitrarily many 7 -approximate closest 
vectors in the lattice C. For example, C might contain many vectors whose length is arbitrarily shorter 
than the distance between t and the lattice, so that any closest lattice vector is "surrounded by" many 
7 -approximate closest vectors. Randomized sieving algorithms for GVP effectively sample from a 
distribution that assigns weight to each lattice vector y according to some smooth function of ||y — 
t||. Such algorithms face a fundamental barrier in solving exact GVP: they can "barely distinguish 
between" 7 -approximate closest vectors and exact closest vectors for very small 7 . (This problem 
does not arise when solving SVP because upper bounds on the lattice kissing number show that 
there cannot be arbitrarily many 7 -approximate shortest lattice vectors. Indeed, such upper bounds 
play a crucial role in the analysis of sieving algorithms for exact SVP.) 

So, the important question of whether GVP could be solved exactly in singly exponential time 
remained open until the landmark algorithm of Micciancio and Voulgaris IMV131 (MV), which built 
upon the approach of Sommer, Feder, and Shalvi HSFS09L MV showed a deterministic 0(4”)-time 
and 0(2”)-space algorithm for exact GVP. The MV algorithm uses the Voronoi cell of the lattice—the 
centrally symmetric polytope corresponding to the points closer to the origin than to any other lattice 
point. Until very recently, this algorithm had the best known asymptotic running time for both SVP 
and GVP. Prior to this work, this was the only known algorithm to solve GVP exactly in 2®^'’) time. 

Very recently, Aggarwal, Dadush, Regev, and Stephens-Davidowitz (ADRS) gave a 2”+'’(”)-time 
and space algorithm for SVP IIADRS15I . They accomplished this by giving an algorithm that solves 
the Discrete Gaussian Sampling problem (DGS) over a lattice C. (As this is the starting point for 
our work, we describe their techniques in some detail below.) They also showed how to use their 
techniques to approximate GVP to within a factor of 1.97 in time but like AKS a decade 


^Since both problems are NP-complete, there is necessarily an efficient reduction from CVP to SVP. However, all known 
reductions either blow up the approximation factor or the dimension of the lattice by a polynomial factor IKan87llDHlll . 
Since we are interested in an algorithm for solving exact CVP whose running time is exponential in the dimension, such 
reductions are not useful for us. 
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earlier, they left open a natural question: is there a corresponding algorithm for exact CVP (or even 
(1 + o(l))-approximate CVP)? 

Main contribution. Our main result is a 2”+“^")-time and space algorithm that solves CVP ex¬ 
actly via discrete Gaussian sampling. We achieve this in three steps. First, we show how to modify 
the ADRS sampling algorithm to solve DGS over lattice shifts, C — t. While the actual algorithm 
is a trivial generalization of ADRS, the analysis uses substantial new ideas. This result alone im¬ 
mediately gives a 2”+°(”)-time algorithm to approximate GVP to within any approximation factor 
'y = \ + logn) Second, we show that the approximate closest vectors to a target can be grouped 
into "lower-dimensional clusters." We use this to show a reduction from exact GVP to a variant of 
approximate GVP Third, we show that our sampling algorithm actually solves this variant of ap¬ 
proximate GVP, yielding a 2”+°(”)-time algorithm for exact GVP. 

We find this result to be quite surprising as, in spite of much research in this area, all previous 
"truly randomized" algorithms only gave approximate solutions to GVP. Indeed, this barrier seemed 
inherent, as we described above. Our solution depends crucially on the large number of outputs from 
our sampling algorithm and new properties of the discrete Gaussian. 


1.1 Our techniques 


The ADRS algorithm for centered DGS and our generalization. The centered discrete Gaussian 
distribution over a lattice C with parameter s > 0, denoted Djr g, is the probability distribution ob¬ 
tained by assigning to each vector y G £ a probability proportional to its Gaussian mass, ps{C) := 
g-^lly|l As the parameter s becomes smaller, D£ s becomes more concentrated on the shorter vec¬ 
tors in the lattice. So, for a properly chosen parameter, a sample from Dc,s is guaranteed to be a 
shortest lattice vector with not-too-small probability. 

ADRS's primary contribution was an algorithm that solves DGS in the centered case, i.e., an algo¬ 
rithm that samples from for any s. To achieve this, they show how to build a discrete Gaussian 
"combiner," which takes samples from Dc,s and converts them to samples from The com¬ 

biner is based on the simple but powerful observation that the average of two vectors sampled from 
D£ s is distributed exactly as s/Vi' P^o'^^ded that we condition on the result being in the lattice lADRSlSi 
Lemma 3.4]. Note that the average of two lattice vectors is in the lattice if and only if they lie in the 
same coset of 2C. The ADRS algorithm therefore starts with many samples from g for some very 
high s (which can be computed efficiently iKle00llGPV08llBLP+13l l and repeatedly takes the average 
of carefully chosen pairs of vectors that lie in the same coset of 2 £ to obtain samples from the discrete 
Gaussian with a much lower parameter. 

The ADRS algorithm chooses which vectors to combine via rejection sampling applied to the 
cosets of 2C, and a key part of the analysis shows that this rejection sampling does not "throw out" 
too many vectors. In particular, ADRS show that, if a single run of the combiner starts with M sam¬ 
ples from D£ s, then the output will be f>{s)M samples from s/\/ 2 ' where the "loss factor" f>{s) is 
equal to the ratio of the collision probability of g mod 2C divided by the maximal weight of a single 
coset (with some smaller factors that we ignore here for simplicity). It is not hard to check that for 
any probability distribution over 2” elements, this loss factor is lower bounded by 2^”^^. This obser¬ 
vation does not suffice, however, since the combiner must be run many times to solve SVP. It is easy 
to see that the central coset, 2C, has maximal weight proportional to Ps/ 2 {C,), and ADRS show that 
the collision probability is proportional to Pg/^(£)^. Indeed, the loss factor for a single step is given 
by^(s) = p^/^{Cf/{ps{C)p s/ 2 (-C)). Therefore, the total loss factor j6(s)/3(s/ \/2) ■ ■ ■ f{s/2 ac¬ 
cumulated after rurming the combiner (. times is given by a telescoping product, which is easily 
bounded by 2^”^^. So, (ignoring small factors) their sampler returns at least 2^”^^ ■ M samples from 

g/ 2 -f/ 2 . The ADRS combiner requires M > 2” vectors "just to get started," so they obtain a 
time algorithm for centered DGS that yields 2”^^ samples. 
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In this work, we show that some of the above analysis carries over easily to the more general 
case of shifted discrete Gaussians, D£_t g for t G —the distribution that assigns Gaussian weight 
|Os(w) to each w G £ — t. As in the centered case, the average of two vectors sampled from Djr-t,s 
is distributed exactly as provided that we condition on the two vectors landing in the same coset 

oflC. (See Lemma 4.1 and Proposition |4.2[ ) We can therefore use essentially the same combiner as 
ADRS to obtain discrete Gaussian samples from the shifted discrete Gaussian with low parameters. 

The primary technical challenge in this part of our work is to bound the accumulated loss factor 
/l(s)j 6 (s/ V 2 ) ■ ■ ■ While the loss factor for a single run of the combiner j 6 (s) is again equal 

to the ratio of the collision probability over the cosets to the maximal weight of a coset, this ratio does 
not seem to have such a nice representation in the shifted case. (See Gorollary |4.2[ ) In particular, it is 
no longer clear which coset has maximal weight, and this coset can even vary with s! To solve this 
problem, we first introduce a new inequality (Gorollary |3.3| l, which relates the maximal weight of a 
coset with parameter s to the maximal weight of a coset with parameter s/ \/2^ We then show how 
to use this inequality to inductively bound the accumulated loss factor by (ignoring small factors) 


Ps(/:-t) 


' ■_ ^ 2^—n 

maxcg£/(2£)ps(c-t) - 


( 1 ) 


So, we only need to start out with 2" vectors to guarantee that our sampler will return at least one 
vector. (Like the ADRS algorithm, our algorithm requires at least 2" vectors "just to get started.") 

This is already sufficient to obtain a 2”+°(”)-ti me s olution to approximate GVP for any approxi¬ 
mation factor 7 = 1 + (See Gorollary |4.8[ ) Below, we show that the loss factor in ([TJ is 

essentially exactly what we need to construct our exact GVP algorithm. In particular, we note that if 
we start with T • 2" vectors, then the number of output samples is 


T- 




maXcg£/(2£) ps{c - t) maXcg£/(2£) Pr[D£_t,g G c - t] ' 


( 2 ) 


I.e., we obtain roughly enough samples to "see each coset whose mass is within a factor T of the 
maximum." 


A reduction from exact CVP to a variant of approximate CVP. In order to solve exact GVP, we 
consider a new variant of approximate GVP called the cluster Glosest Vector Problem (cGVP). The 
goal of cGVP is to find a vector that is not only very close to the target, but also very close to an 
exact GVP solution. More specifically, a vector y G £ is a valid solution to a-cGVP if there exists 
an exact closest vector y' such that ||y — y^|l < x ■ dist(t, £). We will show below that approximate 
closest lattice vectors can be grouped into "clusters" contained in balls of radius a ■ dist(t, £). If a 
is sufficiently small (i.e., a. < Cf \/n), then we can find a lower-rank sublattice C (Z C so that each 
cluster is actually contained in a shift of C. (I.e., each cluster is contained in a lower-dimensional 
affine subspace. See Figurej^for an illustration of the clustering phenomenon.) Furthermore, a cGVP 
oracle is sufficient to find this sublattice C. So, we can solve exact GVP by (1) computing £,') (2) 
solving a-cGVP to find a lattice vector y that is in the "correct" shift of CJ) and then (3) solving GVP 
recursively over the lower-rank shifted lattice CJ -|- y. (See Glaim 5.2 for the full reduction.) 

This reduction might seem a bit too simple, and indeed we do not know how to use it directly. 
While we will be able to show that our sampling algorithm does in fact output a solution to cGVP 
with sufficiently high probability, it will typically output very many vectors, many of which will not 
be valid solutions to cGVP! We do not know of any efficient way of "picking out" a solution to cGVP 
from a list of lattice vectors that contains at least one solution. (Note that this issue does not arise 
for GVP or even approximate GVP, since for these problems we can just take the vector in the list 


^This inequality is closely related to that of IRS15I , and it (or the more general Lemma 3.2 1 may be of independent 


interest. Indeed, we use it in two seemingly unrelated contexts in the sequel—to boimd the loss factor of the sampler, and 
to show that cosets that contain a closest vector have relatively high weight. 
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Figure 1: A two-dimensional lattice and a target point t, showing the "clustering" of the approximate 
closest points. The lattice points inside the dotted circle are approximate closest vectors, and they are 
clearly organized into two clusters that lie in two distinct one-dimensional affine subspaces. The 
closest lattice point is highlighted in blue; the points in the same cluster (i.e., the valid solutions 
to cCVP) are shown in purple; and approximate closest points in a different cluster are shown in 
red. Notice that close points in the same coset mod 2C, (i.e., points separated by a vector in 2C) are 
necessarily in the same cluster. 


that is closest to the target.) So, we consider an easier problem, a-cCVP^. A valid solution to this 
problem is a list of at most p lattice vectors, at least one of which lies in the same "cluster" as an exact 
closest vector, as described above. (See Definition |5.1[ ) This leads to a natural generalization of the 
reduction described above, as follows. (1) Compute the lower-rank sublattice C <Z C as before; (2) 
solve a-cCVP^ to obtain a list of vectors (y,,... ,yp), one of which must lie in the "correct" shift of 
C) (3) solve CVP recursively on all distinct shifts C -|- y,; and finally (4) output the closest resulting 
point to the target t 

Correctness of this procedure follows immediately from the correctness in the special case when 
p = 1. However, bounding the number of recursive calls is more difficult. We accomplish this by 
first showing that any two of approximate closest vectors y„ yj that are in the same coset mod 2C 
must also be in the same cluster. (See Lemma 5.3 ) This shows that there are at most 2” clusters 

and therefore at most 2” recursive calls, which would show that the running time is at most roughly 

2 

2" . We obtain a much better bound via a technical lemma, which shows that we can always choose 
the parameters such that either (1) the number of clusters is at most 2”^'^, where d is the rank of the 
sublattice C] or (2) there are "slightly more" than 2”^^ clusters, but the rank d of C is "significantly 
less than" n. (See Lemma [5.6| ) This will allow us to show that the total number of calls mad e on 
sub lattices of rank d after a full run of the algorithm is at most (See Theorem 5.7) In 


particular, this shows that, in order to solve exact CVP in time it suffices to find an algorithm 

that solves a-cCVP^ for small a that itself runs in time on lattices of rank d. 


Solving cluster CVP. Our final task is to solve a-cCVP^ for sufficiently small a. in time. In 

other words, we must find an algorithm that outputs a list of approximate closest vectors to the target 
t, at least one of which is very close to an exact closest vector. As we noted above, our discrete Gaus¬ 
sian sampler can be used to obtain approximate closest vectors with extremely good approximation 
factors. Furthermore, any two approximate closest vectors that lie in the same coset mod 2C must 
be very close to each other. It therefore suffices to show that at least one of the output vectors of our 
DCS algorithm will be in the same coset as an exact closest vector mod 2C. 

This is why the number of output samples that we computed in (|^ is so remarkably convenient. 
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If a coset's Gaussian mass is within some not-too-large multiplicative factor T of the maximal mass 
of any coset and we run our sampler, say, T • poly(n) times, then with high probability one of our 
output vectors will land in this coset! In particular, if we can find a bound j < on the ratio 
between the maximal mass of any coset and the mass of a coset with a closest vector, then we can 
simply run our sampler T ■ poly(n) times to find a vector in the same coset as this closest vector. In 
other words, we obtain a 2”+°(”)-time solution to a-cCVP^, as needed. Intuitively, such a bound T 
seems reasonable, since a closest vector itself has higher mass than any other point, so one might 
hope that its coset has relatively high mass. 

Unfortunately, we cannot have such a bound for arbitrary s. There exist "pathological" lattices 
C and targets t such that for some parameter s, the coset of a closest vector to t has relatively low 
mass, while some other coset contains many points whose combined mass is quite high, even though 
it does not contain an exact closest vector. However, we can show that this cannot happen for "too 
many" different parameters s. Specifically, we show how to pick a list of parameters Si > ■ ■ • > 
such that, for at least one of these parameters, the bound T < that we required above will hold. 
This suffices for our purposes. The proof of this statement is quite technical and relies heavily on the 
new inequality that we prove in Section]^ (See Corollary |6.3[) 


1.2 Related work 


Our exact CVP algorithm uses many ideas from many different types of lattice algorithms, including 
sieving, basis reduction, and discrete Gaussian sampling. Our algorithm combines these ideas in a 
way that (almost magically, and in ways that we do not fully understand) avoids the major pitfalls of 
each. We summarize the relationship of our algorithm to some prior work below. 

First, our algorithm finds an approximate Hermite-Korkine-Zolatoreff (HKZ) basis and essen¬ 
tially "guesses" the last n — k coefficients of a closest vector with respect to this basis. HKZ bases 
are extremely well-studied by the basis reduction community iKan87l lHel85l |LJS90| IHS0711MW15I , 
and this idea is used in essentially all enumeration algorithms for CVP. However, there are examples 
where the standard basis enumeration techniques require time to solve CVP (See, e.g., | BGJ14| .) 
The main reason for this is that such techniques work recursively on projections of the base lattice, and 
the projected lattice often contains many points close to the projected target that do not "lift" to points 
close to the target in the full lattice. Using our techniques, we never need to project, and we are there¬ 
fore able to ignore these useless points while still guaranteeing that we will find a point whose last 
n —k coefficients with respect to the basis are equal to those of the closest vector. 

Many other authors have noted that the approximate closest lattice vectors form clusters, mostly 
in the context of AKS-like sieving algorithms. For example, the (1 -|- e)-approximate closest vectors to 
t can be grouped into 2®^”) (1 -|- 1/e)” clusters of diameter e ■ dist(t, C) (see, e.g., [AJ08tiDK13l ). While 
the clustering bound that we obtain is both stronger and simpler to prove (using an elementary par¬ 
ity argument), we are unaware of prior work mentioning this particular bound. This is likely because 
sieving algorithms are typically concerned with constant-factor approximations, whereas our sam¬ 
pler allows us to work with "unconscionably" good approximation factors 7 = 1 -|- Our 

clustering bound seems to be both less natural and less useful for the constant-factor approximations 
achieved by 2 ®(”)-time sieving algorithms. 

IBD15I improve on the MV algorithm by showing that, once the Voronoi cell of C has been com¬ 
puted, CVP on C can be solved in 0(2") expected time. Indeed, before we found this algorithm, 
we hoped to solve CVP quickly by using the ADRS sampler to compute the Voronoi cell in 
time. (This corresponds to computing the shortest vectors in every coset of C/ (20).) Even with our 
current techniques, we do not know how to achieve this, and we leave this as an open problem. 

Finally, after this work was published, IStelSl showed a dimension-preserving reduction from 
DGS to CVP, answering a question posed in an earlier version of this paper. Together with our 
work, this reduction immediately implies a 2”+'’(”)-time algorithm for DGS with any parameter s. 
(Our algorithm works for any parameter s > dist(t, C) ■ but not arbitrarily small s.) This 

also provides some (arguably weak) evidence that our technique of using DGS for solving CVP is 
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"correct," in the sense that any faster algorithm for CVP necessarily yields a faster algorithm for 
DGS. 

1.3 Open problems and directions for future work 

Of course, the most natural and important open problem is whether a faster algorithm for CVP is 
possible. (Even an algorithm with the same running time as ours that is simpler or deterministic 
would be very interesting.) There seem to be fundamental barriers to significantly improving our 
method, as both our sampler and our reduction to exact CVP require enumeration over the 2" cosets 
of 2C. And, Micciancio and Voulgaris note that their techniques also seem incapable of yielding 
an algorithm that runs in less than 2" time (for similar reasons) IIMV13I . Indeed, our techniques 
and those of MV seem to inherently solve the harder (though likely not very important) problem of 
finding all closest vectors simultaneously. Since there can be 2” such vectors, this problem trivially 
cannot be solved in better than 2” time in the worst case. So, if an algorithm with a better running 
time is to be found, it would likely require substantial new ideas. 

Civen these barriers, we also ask whether we can find a comparable lower bound. In particular, 
Micciancio and Voulgaris note that the standard NP-hardness proof for CVP actually shows that, 
assuming the Exponential Time Hypothesis, there is some constant c > 0 such that no 2“^”-time al¬ 
gorithm solves CVP IIMV13I . Recent unpublished work by Samuel Yeom shows that we can take 
c = 10^"^ under plausible complexity assumptions llVailSI . Obviously, this gap is quite wide, and we 
ask whether we can make significant progress towards closing it. 

In this work, we show how to use a technique that seems "inherently approximate" to solve exact 
CVP. I.e., our algorithm is randomized and, during any given recursive call, each 7 -approximate 
closest vector has nearly the same likelihood of appearing as an exact closest vector for sufficiently 
small 7 . Indeed, prior to this work, the only known algorithm that solved exact CVP in time 
was the deterministic MV algorithm, while the "AKS-like" randomized sieving algorithms for CVP 
achieve only constant approximation factors. It would be very interesting to find exact variants of the 
sieving algorithms. The primary hurdle towards adapting our method to such algorithms seems to 
be the very good approximation factor that we require—our ideas seem to require an approximation 
factor of at most 7 = 1 -|- l/poly(n), while 2 ®(”)-time sieving algorithms only achieve constant ap¬ 
proximation factors. But, it is plausible that our techniques could be adapted to work in this setting, 
potentially yielding an "AKS-like" algorithm for exact CVP. Even if such an algorithm were not prov- 
ably faster than ours, it might be more efficient in practice, as sieving algorithms tend to outperform 
their provable running times (while our algorithm quite clearly runs in time at least 2 ”). 

A long-standing open problem is to find an algorithm that solves CVP in time but polynomial 
space. Currently, the only known algorithms that run in pol}momial space are the enumeration- 
based method of Kannan and its variants, which run in time. Indeed, even for SVP, there is no 
known polynomial-space algorithm that runs in 2®(”) time. This is part of the reason why n®(”)-time 
enumeration-based methods are often used in practice to solve large instances of CVP and SVP, in 
spite of their much worse asymptotic running time. 

The authors are particularly interested in finding a better explanation for why "everything seems 
to work out" so remarkably well in the analysis of our algorithm. It seems almost magical that we 
end up with exactly as many samples as we need for our CVP to DCS reduction to go through. We 
do not have a good intuitive understanding of why our sampler returns the number of samples that 
it does, but it seems largely unrelated to the reason that our CVP algorithm needs as many samples 
as it does. The fact that these two numbers are the same is remarkable, and we would love a clear 
explanation. A better understanding of this would be interesting in its own right, and it could lead 
to an improved algorithm. 
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Organization 

In Section we provide an overview of the necessary background material and give the basic def¬ 
initions used throughout the paper. In Section we derive an inequality (Corollary |3.3| l that will 
allow us to bound the "loss factor" of our sampler and the running time of our exact CVP algorithm. 
In Section we present our discrete Gaussian sampler, which immediately yields an approximate 
CVP algorithm. In Section we analyze the structure of the approximate closest vectors and show 
that this leads to a reduction from exact CVP to a variant of approximate CVP. Finally, in Section 
we show that our DGS algorithm yields a solution to this variant of approximate CVP (and as a 
consequence, we derive our exact CVP algorithm.) 

2 Preliminaries 

Let N = {0,1,2,...}. Except where we specify otherwise, we use C, Ci, and Cz to denote universal 
positive constants, which might differ from one occurrence to the next (even in the same sequence 
of (in)equalities). We use bold letters x for vectors and denote a vector's coordinates with indices v,. 
Throughout the paper, n will always be the dimension of the ambient space R”. 

2.1 Lattices 

A rank d lattice C C R” is the set of all integer linear combinations of d linearly independent vectors 
B = (bi,..., h^). B is called a basis of the lattice and is not unique. Formally, a lattice is represented 
by a basis B for computational purposes, though for simplicity we often do not make this explicit. If 
n = d, we say that the lattice has full rank. We often implicitly assume that the lattice is full rank, as 
otherwise we can simply work over the subspace spanned by the lattice. 

Given a basis, (bi ,... ,hi), we write C{hi ,... ,bd) to denote the lattice with basis (bi,..., b^^). 
The length of a shortest non-zero vector in the lattice is written Ai(>C). For a vector t G R”, we 
write dist(t, C) to denote the distance between t and the lattice, minyg£(||y — t||). We call any y G £ 
minimizing ||y — t|| a closest vector to t. The covering radius is }i{C) := maxt dist(t, C). 

Definition 2.1. For a lattice C, the ith successive minimum of C is 

A,(£) = min{r : dim(span(£ n B(0,r))) > i} . 

Intuitively, the fth successive minimum of C is the smallest value r such that there are i linearly 
independent vectors in £ of length at most r. We will need the following two facts. 

Theorem 2.2 ( iBHW93l Theorem 2.1]). For any lattice £ C R” and s > 0, 

|{y e £ : ||y|| < sAi(i:)}| < 2[2s]” - 1. 

Lemma 2.3. For any lattice £ C R” with basis (bi,..., bn), 

A,(£)"<^(£)"<Lf;i|b,||V 


2.2 The discrete Gaussian distribution 

For any s > 0, we define the function ps : R" — > R as Ps(t) := exp( — 7r||t||^/s^). When s = 1, we 
simply write p(t). For a discrete set A C R" we define Ps(A) := Ps(x). 

Definition 2.4. For a lattice C C R”, a shift t G R”, and parameter s > 0, let be the probability 

distribution over C — t such that the probability of drawing x G £ — t is proportional to Ps(x). We call this 
the discrete Gaussian distribution over C — t with parameter s. 


8 




We make frequent use of the discrete Gaussian over the cosets of a sublattice. \i C C £ is a 
sub lattice of C, then the set of cosets, C/ C is the set of translations of C by lattice vectors, c = 
C + y for some y E C. (Note that c is a set, not a vector.) Banaszczyk proved the following three 
bounds IIBan93l . 

Lemma 2.5 ( IIBan93[ Lemma 1.4]). For any lattice £ C K” and s > 1, 

Ps{C) < s^p{C) . 


Lemma 2.6. For any lattice C C R”, s > 0, t G R” 


P.(t) < 


Ps{C) 


< 1. 


Lemma 2.7 (' iDRS14l Lemma 2.13]). For any lattice C C R”, s > 0, t G R", and r > \/\/2 k, 

Pr [||X|| > rsv/n] < {^2ner^ex^{-nr^)Y . 

From these, we derive the following corollary. 

Corollary 2.8. For any lattice C C R”, s > 0, and t G R", let a C)/ {^/ns). Then, for any 

r > \l \f2Ti, _ 

Pr [||X|| > rs-\/n] < e^'’“^('\/27rer2exp( —/rr^))” . (3) 

X~D£_1,s 

Furthermore, if a < 2”, we have that 

Pr[||X||2 > dist{t,Cf + 2{snf] < e-^"\ 


Proof. We can assume without loss of generality that 0 is a closest vector to t in £ and therefore 
d := dist(t, C) = ||t||. Equatio n then follows from combining Lemma 2.6 with Lemma 2.7 

Let r = + 2n > 1/\/2k, and note that rs\/n = d'^ -\- 2{ns)^. Then, by the first part of the 

corollary, we have that 


Pr[||X|p > d^ + 2{sn)^] = Pr[||X|| > rs\/n] 

< e^^"" ■ {2ne{a.^ + 2n))”^^ • 

< (47re22”) 

^ g(ln( 47 Te)/ 2 )ji+(ln 2 )n^— 27 rn^ 

< , 


as needed. 


□ 


2.3 The Gram-Schmidt orthogonalization and 7 -HKZ bases 

Given a basis, B = (bi, .. .,b„), we define its Gram-Schmidt orthogonalization (bi,..., b,,) by 
and the corresponding Gram-Schmidt coefficients piy by 





Here, ka is the orthogonal projection on the subspace A and {bi,... ,b;_i}^ denotes the subspace 
orthogonal to bi,..., b;_i. 
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Definition 2.9. A basis B = (bi, ... ,bn) of Cis a ^-approximate Hermite-Korkin-Zolotarev (j-HKZ) basis 

if 

1- llbill <T-Ai(i:); 

2. the Gram-Schmidt coefficients of B satisfy \piy\ < j for all j < i; and 

3. 7r|bj}± (b 2 ),..., 

^{bi}^ (bn) is a j-HKZ basis of 7T^^,^y±{C). 

We use 7 -HKZ bases in the sequel to find "sublattices that contain all short vectors." In particular, 
note that if (bi,..., bn) is a 7 -HKZ basis for C, then for any index k, C (bi,..., b^-i ) contains all lattice 
vectors y & C with ||y || < ||bj:|| / 7 . When 7 = 1 , we omit it. 

2.4 Lattice problems 

Definition 2.10. For 7 = 7(n) > 1 (the approximation factor), the search problem 'y-CVP (Closest Vector 
Problem) is defined as follows: The input is a basis Bfor a lattice £ C R” and a target vector t G R”. The goal 
is to output a vector y G £ with ||y — t|| < 7 • dist(t, C). 

When 7 = 1, we omit it and call the problem exact CVP or simply CVP. 

Definition 2.11. For e > 0 (the error), a (the minimal parameter) a function that maps shifted lattices to 
non-negative real numbers, and m (the desired number of output vectors) a function that maps shifted lattices 
and positive real numbers to natural numbers, s-DGS’f (the Discrete Gaussian Sampling problem) is defined 
as follows: The input is a basis Bfor a lattice C C R", a shift t G R”, and a parameter s > a(C — t). The 
goal is to output a sequence of in >m(C — i,s) vectors whose joint distribution is e-close to Df^^. 

We stress that e bounds the statistical distance between the joint distribution of the output vectors 
and m independent samples from D£_t,s- 

2.5 Some known algorithms 

The following theorem was proven by Ajtai, Kumar, and Sivakumar BAKSOll . building on work of 
Schnorr ||Sch87| . 

Theorem 2.12. There is an algorithm that takes as input a lattice L C R”, target t G R'k and parameter 
u >2 and outputs a ^-FtKZ basis of C and a j'-approximate closest vector to t in time ■ poly(n), where 
7 ;= and 7' := 

The next theorem was proven by IIGMSS99I . 

Theorem 2.13. For any 7 = 7(n) > 1 , there is an efficient dimension-preserving reduction from the problem 
of computing a 'y-HKZ basis to j-CVP. 

We will also need the following algorithm. 

Theorem 2.14 ( HADRSlSl Theorem 3.3]). There is an algorithm that takes as input k > 2 (the confidence 
parameter) and M elements from { 1 ,..., N} and outputs a sequence of elements from the same set such that 

1. the running time is M ■ poly(log k, log N); 

2. each i G { 1 ,..., N} appears at least twice as often in the input as in the output; and 

3. if the input consists of M > lOK^/maxp, independent samples from the distribution that assigns 
probability pi to element i, then the output is within statistical distance CiMNlogNexp(—C 2 K:) of 
m independent samples with respective probabilities pj/ YLpj where m > M ■ Jj, p?/ (32 k max p,) is a 
random variable. 


10 










3 Some inequalities concerning Gaussians on shifted lattices 

We first prove an inequality (Corollary |3.3| concerning the Gaussian measure over shifted lattices. 
We will use this inequality to show that our sampler outputs sufficiently many samples; and to show 
that our recursive CVP algorithm will "find a cluster with a closest point" with high probability The 
inequality is similar in flavor to the main inequality in I1RS15I , and it (or the more general form given 
in Lemma may have additional applications. The proof uses the following identity from IIRS15L 

Lemma 3.1 f llRSlSi Eq. (3)]). For any lattice C C R”, any two vectors x, y G R”, and s > 0, we have 

Ps{C-x)ps{C-y) = PvTs(c-x-y)PvTs(c-x + y) • 

ceC/{2C) 


Our inequality then follows easily. 

Lemma 3.2. For any lattice C C R”, any two vectors x, y G R”, and s > 0, we have 

Ps{C-x)ps{C-y) < max p^^(c-x-y) •p^^(/:-x + y) 

cEL/[2L} 


Proof. Using Lemma 3.1 we get the following. 

Ps{C-x)ps{C-y) = EC2s('^-^-y)Ev'2s(‘^-^ + y) 


ceC/{2C) 

- E PvTs(d-x + y) 

deC/{2C) 

= (c - - y) ■ PvTs (^ - ^ + y) • 


Setting X = y = w + t for any w G U and switching 2C with C gives the following inequality. 
Corollary 3.3. For any lattice C C R”, t G R”, and s > 0, we have 

max ps(c-t)^< max p , /^(c - t) ■ p , /^(U) . 

c6£/(2£)'^ c 6£/(2/;) rs/V2v 


□ 


4 Sampling from the discrete Gaussian 

4.1 Combining discrete Gaussian samples 

The following lemma and proposition are the shifted analogues of jADRSlSl Lemma 3.4] and jADRSlSi 
Proposition 3.5] respectively. Their proofs are nearly identical to the related proofs in IIADRS15I , and 
we include them in the appendix for completeness. (We note that Lemma |4.1| can be viewed as a 
special case of Lemma [34] ) 

Lemma 4.1. Let C C R”, s > 0 and t G R”. Then for ally ^ C — t, 

Pr [(Xi+X2)/2 = y|Xi + X2G2f:-2t] = Pr [X = y] . (4) 


Proposition 4.2. There is an algorithm that takes as input a lattice C C R”, t G R”, k > 2 (the confidence 
parameter), and a sequence of vectors from C — t, and outputs a sequence of vectors from C — t such that, if 
the input consists of 


M > IOk^ 


max,g^/( 2 £) ps(c-t) 
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independent samples from D^^isfor some s > 0, then the output is within statistical distance Mexp(Cin — 
Czk) ofm independent samples from where m is a random variable with 


m > M ■ 


32k 


Ps/vii^y Ps/Vii^ 

Ps{C - t) max^^c/{2C) ps{c - t) ■ 


The running time of the algorithm is at most M ■ poly(n, log k). 

We will show in Theorem 4.3 that by calling the algorithm from Proposition |4.2| repeatedly, we 
obtain a general discrete Gaussian combiner. 


Theorem 4.3. There is an algorithm that takes as input a lattice C C R”, £ G N (the step parameter), k>2 
(the confidence parameter), t G R”, and M = (32k:)^+^ ■ 2" vectors in C such that, if the input vectors are 
distributed as D^-isfor some s > 0 , then the output is a list of vectors whose distribution is within statistical 
distance £Mexp{Cin — Cik) of at least 


m = 


P2-ens{C - 1 ) 

^^^ceC/{2C) P2-</2s(c 


t) 


independent samples from i-ms- The algorithm runs in time £M ■ poly(n, log k). 

Proof Let T’o = (Xi,..., Xjvi) be the sequence of input vectors. For i = 0,..., ^ — 1, the algorithm 
calls the procedure from Proposition |4^ with input C, k, and Xi, receiving an output sequence 
of length Finally, the algorithm outputs the sequence 

The running time is clear. Fix £, s, t and Define6(f) := p 2 -i/ 2 g{C), (p{i) := max^fr£/(^2£) P 2 -‘/^si^ ~ 
t), and ip{i) p 2 -i/ 2 ,{C - t). 

We wish to prove by induction that Xi is within statistical distance iM exp (Cin — Cix) of D^'_^ 2 - 1 / 2 ^ 
with 


M, > (32k)'-'+' . 'hT , 


(5) 


for all i > 1. This implies that Mi > m as needed. 

Let 

0{i + l)tp{i + l) 


be the "loss factor" resulting from the (f 
Corollary |3.3} we have 

T{i) > 


l)st run of the combiner, ignoring the factor of 32 k. By 

xp{i + 1 ) (p{i) 


(pii + 1) tp{i) 


( 6 ) 


By Proposition |4.2} up to statistical distance Mexp(Cin — C 2 K), we have that Xi has the right distri¬ 
bution with 


Ml > 


1 


•Mo-1(0) 


> (32k)^• 2" ■ 


M m 
m m' 


where we used Eq. (|^ with i = 0. By noting that ip{0) < 2"(p{0), we see that (|^ holds when i = 1. 

Suppose that Xj has the correct distribution and (|^ holds for some i with 0 < i < ^. In par¬ 
ticular, we have that Mi is at least 10K^xp{i)/(p(i). This is precisely the condition necessary to apply 
Proposition |4.2| So, we can apply the proposition and the induction hypothesis and obtain that (up 
to statistical distance at most (z -|- l)Mexp(Cin — C 2 K)), Xi^i has the correct distribution with 


Mi+i > ^ • Mr L(z) > (32 k)^-' • ^ ^ j = (32 k)^- 

- 32 ^ w-v J (p{i + l) ^ ’ 

where in the second inequality we used the induction hypothesis and Eq. Q. 


<p{i + i)' 


□ 
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4.2 Initializing the sampler 


In order to use our combiner, we need to start with samples from the discrete Gaussian distribution 
with some large parameter s. For very large parameters, the algorithm introduced by Klein and fur¬ 
ther analyzed by Gentry, Peikert, and Vaikuntanathan suffices IlKleOOilGPVOSl . For convenience, we 
use the following strengthening of their result due to Brakerski et ak, which provides exact samples 
and gives better bounds on the parameter s. 


Theorem 4.4 f llBLP+13[ Lemma 2.3]). There is a probabilistic polynomial-time algorithm that takes as input 
a basis Bfor a lattice £ C R" with n >2, a shift t G R”, and s > Cy^logn ■ ||B|| and outputs a vector that 
is distributed exactly as where ||B|| := max||b;||. 


When instantiated with a y-HKZ basis. Theorem 4.4 allows us to sample with parameter s = 


7 ■ poly(n) • After running our combiner o(n/ logn) times, this will allow us to sample with 

any parameter s = j ■ The following proposition and corollary show that we can 

sample with any parameter s = dist(t,>C)/ 2 “("^^° 8 ") by working over a shifted sublattice that will 
contain all high-mass vectors of the original lattice. 


Proposition 4.5. There is an algorithm that takes as input a lattice C C R", shift t G R”, r > 0, and 
parameter u >2, such that if 

r > +■dist(t,£) , 

then the output of the algorithm isy E C and a basis B' of a (possibly trivial) sublattice C Q C such that all 
vectors from C — t of length at most rfu"^^^ — dist(t, C) are also contained in C' — y — t, and || B' || < r. The 
algorithm runs in time poly(n) • 


Proof. On input a lattice C C R”, t G R”, and r > 0, the algorithm behaves as follows. First, it 
calls the procedure from Theorem 2.12 to compute a basis B = (bi,... ,bn) of C. Let 

(bi,.. . ,hn) be the corresponding Gram-Schmidt vectors. Let k > Ohe maximal such that ||b;|| < r 
for 1 < i < k, and let B' = (bi,.. .,bji.). Let arid M. = The algorithm 

then calls the procedure from Theorem 


2.12 


: again with the same s and input 7rjc(t) and M., receiving 
as output x = where fl/ G Z, a “-approximate closest vector to in M.. 

Finally, the algorithm returns y = — EjLjt+i ‘^i^i and B' = (bi,..., bjt). 

The running time is clear, as is the fact that || B' || < r. It remains to prove that C — y — t contains 
all sufficiently short vectors in £ — t. If k = n, then C = C and y is irrelevant, so we may assume 
that/c < n. Note that, since B is a basis, Ai(Al) > ||bjc+i||/M”^“ > r/u'^^^k In particular, 

Ai(Al) > (1 -|- ^Jn ■ m“/“) ■ dist(t,£) > (1 -|- ^/n ■ ■ dist(7r)t(t), A4). So, there is a unique closest 


2.12 


will output the 


vector to 7 r^(t) in M., and by triangle inequality, the next closest vector is at d istan ce greater than 
^n . w”/'' dist( 7 rjt(t), A4). Therefore, the call to the subprocedure from Theorem : 
exact closest vector x G A4 to 7 r)t(t). 

Let w G £ \ {C — y) so that /T/t(w) 7ik{~y) = kVe need to show that w — t is relatively long. 

Since B is a s“^®-HKZ basis, it follows that 


|| 7 r,(w)-x|| > Ai(M) 

Applying triangle inequality, we have 

||w-t|| > || 7 r),(w) - 7r,t(t)|| > || 7 r,t(w) -x|| - ||x - 7r,t(t)|| > r/w"/“ - dist(t,£) , 


as needed. □ 

Corollary 4.6. There is an algorithm that takes as input a lattice £ C R" with n > 2, shift t G R", M G N 
(the desired number of output vectors), and parameters u > 2 and s > 0 and outputs y E C, a (possibly 
trivial) sublattice C! C C, and M vectors from C' — y — t such that if 

s>CyJn log n ■ ■ dist(t, C) , 
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then the output vectors are distributed as M independent samples from and — y — t contains all 

vectors in C — i of length at most Cs/y^logn). The algorithm runs in time poly(n) ■ + poly(n) ■ 

M. 

Proof. The algorithm first calls the procedure from Proposition |4.5| with input C, t, and 

r := + v/nw”/") • dist(t,f:) , 

^logn 

receiving as output y E C and a basis B' of a sublattice C C C. It then runs the algorithm from 
Theorem |4.4| M times with input C, y + 1, and s and outputs the resulting vectors, y, and 

The running time is clear. By Proposition |4.5[ — y — t contains all vectors of length at most 

— dist(t,£) > Cs/(u"'''^‘^ylogn) in £ — t, and ||B'|| < r < Cs/s/logn. So, it follows from 
Theorem |4^ that the output has the correct distribution. □ 


4.3 The sampler 

We are now ready to present our discrete Gaussian sampler. 

Theorem 4.7. For any efficiently computable function f{n) > n^^^f let a be the function defined by — 
t) := dist(t, £)/ fin) for any lattice £ C IR” and t G R”. Let 

mid — t,s) :=-- 7 -r . 

max,g£/( 2 £) Ps(c-t) 

Then, there is an algorithm that solves e-DGSf with e{n) := 2^^”^ in time 

Proof. We assume without loss of generality that f{n) > 2n > 10. The algorithm behaves as follows 
on input a lat tice C C R”, a shift t, and a parameter s > 0 '{C — t). First, it runs the procedure from 
Corollary |4.6| with input C,t,M := ■ 2" with i := C[log/(n)], u := Cn logn/ log/(n) + 2, 

and 


:= 2^s > C^/n log 


n ■ u 


2n/u 


dist(t, £) . 


(Note that < f{n)‘~.) It receives as outp ut C' C R”, y E C, and (Xi,. .. ,Xm) G C — y — i. 


It then runs the procedure from Theorem 4.3 twice, first with input C, i, k := Cn^, t, and the first 


half of the vectors, (Xi,..., Xm/i)'/ and next with input £', i, k, t, and the second half of the vectors, 
(Xm/ 2 + 1 / • • • /Xm)- Finally, it outputs the resulting vectors. 

The running time follows fro m th e respective running times of the two subprocedures. In particu¬ 
lar, the procedure from Corollary|4^runs in time polv(n) • +M) = _|_ 2 "+ 0 (lognlog/(n)) 

2 n+ 0 (lognlog/(ji))^ procedure from Theorem |4^ runs in time £M ■ poly(n, log k) = 2 ”+ 0 (lognlog/(n)) 

By Corollary |4.6[ the X, are M independent samples from Dc -y-t s and — y — t contains all 


4.3 


vectors in £ — t of length at most Cs/ y^logn). By Theorem 
2m {C — t, s) vectors whose distribution is within statistical distance 2 
from Dc'-y-t,s- 

We now show that D£/_y_t,s is statistically close to D£_t,s- Let d := dist(t, C) and 


the output contains at least 
of independent samples 


C2^ 


r := 


w”/“y^nlogn 


>f{n)^> 


\f^ 


The statistical distance is exactly 


Pr [w^/:'-y-t]< Pr [||w| 

w~D£_t,s w~D£_t,s 

= Pr [||w| 


> cs/(M”/“yiog”)] 

> rs^/n] 


< 2 


-Cn^ 
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where we have used Corollary |2.8[ It follows that the output has the correct size and distribution. In 
particular, it follows from applying union bound over the output samples that the distribution of the 
output is within statistical distance e of independent samples from Dc-t,s, arid an easy calculation 
shows that 2 ?n(£'— t,s) > m(>C — t,s). □ 

From Theorem |4.7| and Corollary |2.8} we immediately get a weaker version of our main result, a 
2”+‘’(”)-time algorithm for 7 -CVP for any 7 = 1 + 

Corollary 4.8. For any efficiently computable function f[n) > n^^^f there is an algorithm solving (1 + 
1/f{n))-CVP (with high probability) in time In particular, if f{n) = the 

algorithm runs in time 


5 Reduction from exact CVP to a variant of approximate CVP 


We now introduce a new variant of approximate CVP that suggests a recursive algorithm for exact 
CVP. The goal is to find a lattice point y that is within some very small distance oc ■ dist(t, £) of 
a closest point y' to the target t. In Section 5.1 we show that the approximate closest points are 
arranged in "clusters," where y and y' are in the same cluster. So, we call this problem the cluster 
Closest Vector Problem (cCVP). 

In fact, it will suffice for our purposes to output many lattice vectors yi,..., yp with the guarantee 
that at least one of these points is within distance a ■ dist(t, C) to the closest vector. 


Definition 5.1. For a = a. (n) >0 (the additive error) and p = p[n) > \ (a bound on the output size), the 
search problem a-cCVP^ (cluster Closest Vector Problem) is defined as follows: The input is a basis Bfor a 
lattice £ C R" and a target vector t G R”. The goal is to output lattice vectors yi,..., yp G £ with p < p(n) 
such that there exists an index j and y' G £ with ||y' — t|| = dist(t, C) and ||yy — y'|l < a(n) ■ dist(t, C). 

Note that there is a trivial reduction from (1 + a)-CVP to a-cCVP^. Furthermore, we may assume 
without loss of generality that all of the output vectors are solutions to (1 -|- a)^-CVP. (We can simply 
throw out any vectors yj with ||yy — t|| >(! + «)• min;||y, — t||.) 

We are primarily interested in a-cCVPP for very large p (e.g., p = 2"), but we first present a simple 
recursive reduction from exact CVP to a-cCVP^ for a(n) < C/ ^^/n. Our more general reduction will 
essentially just run this procedure many times, with each run corresponding to an output vector from 
the a-cCVP^ oracle. 


Claim 5.2. There is a polynomial-time, dimension-preserving reduction from CVP to ot-cCVP^ for a(n) < 

C/^. 

Proof. On input C C R” and t G R”, the reduction behaves as follows. First, if n = 1, it solves the 


one-dimensional CVP instance in the straightforward way. Otherwise, it uses Theorem 2.13 and its 
cCVP oracle to compute a (1 -|- a)-HKZ basis (bi,..., b„) for C. It then calls its cCVP oracle on input 
C and t and receives as output y G £. Let (bi,..., b„) be the Gram-Schmidt orthogonalization of the 
hi, and choose any index k such that ||b;t|| >C||y — t||/ ^/n. Let C' := C{hi ,... ,b;t-i)- The reduction 
then calls itself recursively on input C and t — y, receiving as output x G Finally, it returns y -|- x. 

It is clear that the reduction preserves dimension and runs in pol}momial time. If n = 1, then 
correctness is also clear. Otherwise, by Lemma 2.3 ||y —t|| < Ll||bj|l < nmax||b,|| , so there must 


exist an index k as above. We assume for induction that the reduction is correct when the dimension 
of the lattice is less than n. By the definition of cCVP, there is a vector y' G £ that is closest to t in £ 
with||y —y'll < C dist(t, £)/\/n- Since ||y — y'|| < ||bfc|| = Ai(£'), it follows that y'G -|-y. By the 
induction hypothesis, x is a closest vector to t — y in C', and it follows that y -|- x is a closest vector to 
\.\n C + y = C + y'. Therefore, y -|- x is a closest vector to t in C, as needed. □ 
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5.1 Clusters of approximate closest lattice vectors 

We now wish to analyze a natural generalization of Claim that works with a-cCVP^ for arbitrary 
p. In particular, we consider a reduction that solves CVP recursively over many shifted sublattices 
C + ji where the y, are the output of the cCVP oracle and C is some fixed sublattice. Correctness of 
such an algorithm follows immediately from Claim [5^ but in order to bound the running time, we 
will need to bound the number of relevant shifts C + ji. 

We accomplish this by showing that the approximate closest lattice vectors to t form "clusters" 
according to their cosets mod 2C. This simple fact proves to be quite useful, and we will use it again 
in the next section to show that our DCS algorithm yields a solution to cCVP We suspect that it will 
have other applications as well. 

Lemma 5.3. For any lattice C C R”, t G ]R'^ ri, r 2 > 0, and wi, W 2 G £ — t with wi = W 2 (mod 2C), if 
the Wi satisfy ||w,||^ < dist(t,+ r?, then ||wi — W 2 ||^ < 2{rl + rl). 

Proof. Since wi = W 2 (mod 2C), we have that (wi + W2)/2 G £ — t. Therefore, we have that 

II wi — W2||^ = 2|| will^ + 2|| W 2 IP — 4|| (wi + W2)/2|P 

< 2(dist(t, + ^i) + 2(dist(t, + ^ 2 ) — 4dist(t, 

= 2{rl + rl). □ 


In particular. Lemma 5.3 shows that there are at most 2" clusters of approximate closest points. 
We now derive an immediate corollary, which shows that, if the points are very close to t, then each 
cluster lies in a shift of a lower-rank sublattice C defined in terms of a 7 -HKZ basis, as we need for 
our reduction. 


Corollary 5.4. For any £ C K” with j-HKZ basis (bi, .. .,hn) for some 7 > 1, t G R", and k G [n], 
let C' := L:(bi,. . .,b;t-i)- I/wi,W2 G — t with w^ = W2 (mod 2CF^ satisfy ||w^'|| ^ dist(t, -I- 

||b)t||^/7^, then wi G £' + W 2 . 


Proof. Let 2v = wi — W 2 7 ^ 0. Note that v G £ by hypothesis, and by Lemma 5.3 we have that 
||v|| < ||b|i;||/ 7 . Since Ai( 7 r£/±(>C)) > ||b|i;||/ 7 , it follows that v G as needed. □ 


To achieve our desired running time, we must show that, if C has relatively high rank, there must 
be significantly fewer than 2” shifts of C that contain approximate closest vectors. This will allow us 
to bound the number of recursive calls that we make on high-rank sublattices. We accomplish this 
with the following two technical lemmas. 

Lemma 5.5. For any £ C R" with 'y-HKZ basis (bi,.. .,b„)/or some 7 > 1, t G R”, and k G [n], let 
C ■.= C{hi ,... ,bjt-i). Ifr>0,s>0, and k < i < n + 1 satisfy 


(k-l) ,,2 ^ 1 


min{s2||bjt|p, Hb^-f} 


: i = n + 1 
: otherwise 


(7) 


then we have that 


\{ceC/C' : dist(t,c)^ < dist(t,L:)2 + r2}| < 2"-*'+i(2[2s]^ 
Proof. For each d G £/ {2C + C), let 

:= {c E C/C' : c C d and dist(t, c)^ < dist(t, C)^ + r^} 


be the set of shifts of C that are subsets of d and contain an approximate closest vector. Since C/C is 
a refinement of £/ {2C + C) and \C/{2C + C) \ = it suffices to show that |Sd| < ( 2 [ 2 s]^^^ — 

l)for alld G C/{2C + C'). 
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Fix d. Let wi, W 2 G d — t. Suppose ||wj||^ < dist(t,>C)^ + r^. A simple computation shows that 
there exist fli, ... ,ak-i G { — 1,0,1} such that wi — flib, = W 2 (mod 2C) and 

k—l 2 

Wl — ^ fl;b; < ||wi||^ + ^||b;||^ < dist(t, +r^ + ^||b;||^ . 


;=1 


! = 1 


! = 1 


Since the b; are 7 -HKZ, we have that ||b,||‘' < ||b;||^ + 5 EUy ||b;||^- Therefore, 


k-l 


k-1 


Wi - ^ fl,b; < dist(t,£)^ + r^ + {k-l) ^||b, 


Let 2v := wi — fl;b, — W 2 G 2C. Since wi — fl/b; = W 2 (mod 2C), we may apply Lemma 
to obtain 

lc-1 


5.3 


Ivll^ < ■ 


Eiib.r- 


i=l 


Let TTfc := and Ai := TZk{C{\>k, ■ ■. ,bf_i)). From the above, we have 

k-l 


||7r;c(v)|| < ||v|| < r + 


Ellb.l 


! = 1 


Recalling the constraint on £ imposed by Eq. Q, this implies that 7 rjt(v) G Ai. Furthermore, note that 
wi G £' + W 2 if and only if 7 r^(wi — W 2 ) = T[k{v) = 0. Therefore, 


|Sd| < {y G M : ||y|| <r^ + ^ } 

^ i=i 


k-l 


Finally, note that Ai(7Ll) > ||b;c||/ 7 . ByEq. 0 the length bound in the above equation is at most 
sAi(Al). The result then follows from applying Theorem 2.2 and noting that dim A4 = £ — k. □ 


This next lemma shows that we can choose an index k such that either C has fairly small rank or 
relatively few shifts of C contain approximate closest vectors. 

Lemma 5.6. For any lattice C C R” with 'y-HKZ basis (bi, ... ,h„)for some n > 2 and 1 < 7 < 1 + 
any efficiently computable function f : Z+ i-G Z+, and 


r ■= n 


'2/Wmax||b,-|l , 

ie\n\ 


there exists k G [n] such that if C' := C{bi ,... ,b)t-i), then ||b^|| > 7 ■ 4^ and 




|{c G C/C' : dist(t, c)^ < dist(t, + r^} I < 


^n—k+l 


: if n — f{n) <k < n 


^ 2 ” k+2^n/f{n) . otherwise 

Furthermore, the index k can be computed efficiently from the b,. 

Proof. Let R := max,g[,;] ||b,|| = n^f^^'^r. Define mj G [n] for 0 < j < 2f{n) to be the smallest index i 
such that ||b;|| > 7 ■ Then, by definition, we have that mo > mi > ■ ■ ■ > wr 2 j(„)_i. Furthermore, 


1 ntj — l 

2 mj -1 ’ 

'■" + Ar' L 


< R2- ( 

„4/(n) +T 


( 1 

~ n^i * 

\fl4:f{n) 2j 

R 2 


^ n 2;-2 
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K - 1)^ 

n^i 


( 8 ) 























First, consider the case when there exists j < f{n) such that nij = In this case, we claim that 

the required index is k = nij. To see this, simply note that ||bjc|| > 7 • by definition. Then, by 
Eq. the conditions for Lemma [53| are satisfied with £ = k and s = n. Applying Lemma 2.3 gives 


M > 7 ^. as needed. 


So, it suffices to assume that thq > nii > ■ ■ ■ > In this case, clearly < n — f{n). Now, 

by the pigeonhole principle, there exists j G {f{n),f{n) + 1,... ,2/(n) — 1} such that my-i — nij < 


Then, let k = nij, and £ = nij 


7, — "7-1 

on the number of shifts follows from Lemma 
applying Lemma [23} 


Noting the fact that ||bjc|| > A and Ijb^l 
and Eq. (^. The bound on ||b;c|| 


5.5 


> the bound 

again follows from 

□ 


5.2 The reduction 

We can now present our more general reduction. We note in passing that, if the cCVP oracle happens 
to output a nearby point for each exact closest lattice vector, then (a minor modification of) our 
reduction actually finds all closest vectors. 

Theorem 5.7. For any constant <5 G [0,1), there is a reduction from exact CVP to cc-cCVP^ where a{n) := 
l/( 10 n^”'^+^) such that the maximal number of oracle calls that the reduction makes on lattices of dimension 
d when the input lattice has dimension n is 

g{n,d) < poly(n) fj p{i)\. 

^ i=d+l 

The running time of the reduction is poly(n) • Yld ^)- 

Proof. The reduction behaves quite similarly to the simple procedure from Claim |5.2[ The only dif¬ 
ference is that this new reduction chooses C more carefully and makes recursive calls on many shifts 
of C' corresponding to the many outputs of its a-cCVPP oracle. In particular, on input £ C R” and 
t G K”, the reduction behaves as follows. First, if n = 1, it solves the one-dimensional CVP in¬ 


stance in the straightforward marmer. Otherwise, it uses Theorem 2.13 and its oracle to compute a 
(1 -|- a)-HKZ basis (bi,... ,b„) for £. It then calls its oracle on input C and t and receives as output 
yi^ • • • / Yp S As we noted below Definition |5.1[ we may assume without loss of generality that 


Wjj — t|C < (1 + ^(w))^ dist(t, C)^ < dist(t, C)'^ -|- ; 


- 4 «'* 


max ||b;| 
ieln] 


(9) 


The reduction then computes the index/c as in Lemma 5.6 with/(n) := n". Let>C' := >C(bi,.. .,b 


V-l; 


The reduction groups the y/ according to their coset mod C . For each such coset c, it picks an arbi¬ 
trary representative yc G c and calls itself recursively on input C and t — jc, receiving as output Xc. 
Finally, it outputs the closest Xc -|- yc to t. 


Correctness follows immediately from the proof of Claim 5.2 In particular, consider a sequence 
of recursive calls such that the corresponding yc represent valid solutions to their respective a-cCVP^ 
instances and note that the reduction behaves identically to the procedure from Claim [53] along this 
sequence. 

The statement about the running time is clear. We now analyze the number of recursive calls. 
Consider a single thread with dim£ = n and dim£' = h. The total number of recursive calls made 
by this thread is 

L{n,h) ■.= \{cEC/C' : 3fwithy;Gc}| 

< min |p(n) , \{ceC/C' : dist(t,c)^ < dist(t,>C)^- 

Note that g{n, d) satisfies the recurrence relation 


-2/(n) 


>!}■ 


( 10 ) 


g{n,d) < max L{n,h)g{h,d) , 

d<n<n 


( 11 ) 
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with base case = poly(n). The bound g(n,d) < poly(n) nr=d+i P (0 ini^i^diately 

from the fact that L{n, n ) < pin). 

Now, we wish to prove by induction that for any d and n, we have g{n,d) < for 

some constant C*. For n = 1 or d = n, this is trivial. Suppose that the induction hypothesis holds for 
dimensions less than n. By Eq. ( [TT] |, it suffices to prove that L{n,h)g[h,d) < ^‘logn £qj. 

n < n. Note that Eq. Q gives us the bound that we need to apply Lemma [ 53 } Plugging the lemma 
into Eq. ( |To| , we have 

f 2 "^” : if n > n — f(n) 

L{n,n) < < ^ . 

1 2” n+iygi/f(n) . otherwise 

\ih>n — f{n), then by this bound and the induction hypothesis, 

L{n,n)ginJ) < -gin,d) < 2«-‘^+C’>^"-"^iogn ^ 
as needed. Otherwise, n < n — f{n), and we have 

L{n,n)g{n,d) < 2"-‘^+^+c*""^"nogn^n/f{n) 

^ 2n-d+l+C* {n-\ogn+nlog2 n/fin) 

^ 2n—d+l+C*n^^'^^—C*{2—2S)n^^‘^^f{n) logn+n logj n/f{n) 

^ 2 n—d+C*n^^^ 


as needed. 


□ 


6 Finishing the proof 

6.1 The mass of cosets with closest vectors 

We now show that our DGS algorithm yields a solution to a-cCVP^, i.e., that one of its output vectors 
will be very close to an exact shortest vector in the shifted lattice with high probability when called 
with appropriate parameters. (See Definition [5d| ) By our "cluster" analysis in Section 5.1 this re¬ 
duces to showing that one of the output vectors will be a short vector that is in the same coset of 2C 
as a shortest vector. Since the number of samples returned by our algorithm is essentially the number 
that we need to "see each coset with relatively high Gaussian mass," it would suffice to show that 
any coset of 2>C — t that contains a shortest vector must have high mass. Instead, we are only able to 
prove the slightly weaker (but still sufficient) fact that for a suitable list of parameters Si,..., Si, each 
such coset has high mass with respect to the discrete Gaussian with at least one of these parameters. 
(See Gorollary |6.3| ) 

Lemma 6.1. Let C CtR" be a lattice and t G R” with y E Ca closest vector to t in C. Then, for any s > 0, 


1 < 


max, 


C6 


£/(2£) Ps(c - t) ^ YlJLl Pl-E^si^) 


1/21 


Psiy - t) ■ psilC) 


Psi2C) 


< 2 


n/l 


Proof. The first inequality trivially follows from Lemma 2.6 Let 0(f) := P2-i/2si^) and (p{i) := 
n^aXj,g£/( 2 £) P 2 -'/ 2 s(c — t)- By Gorollary|3.3| we have 


(p{i) < (p{i + l)^^^0(f -6 . 


Applying this inequality k times, we have 


7=1 
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We take the limit as /c —> oo. Since y G £ is a closest vector to t, we have 


=p,{y-t) . 

/c—>-00 

The second inequality is then imm ediate. For the third inequality, note that for all i > 2, 6{i) < 
0(2) = |0s(2£), and by Lemma 2.5 0(1) < 2”/^0(2). Therefore, 


n 0 (; y ^ < 2 "/"^ ■]^ 0 ( 2)^/2 = 2 ”/^ ■ 0 ( 2 ). □ 

We will need the following technical lemma to obtain a stronger version of Lemma |6^ 

Lemma 6.2. For any lattice C C R”, s > 0, and integer £ > 0, there exists an integer 1 < i < £ such that 




< 2v . 


Proof. For i > 0, let 9{i) : = in previous proof. Let 

nr=i0(i 


Si- = 


and 


0(f + 2) 

._0 (/ + l) 

'■ 0(/ + 2)- 


We need to sh ow t hat there exists an integer \ <i < £ such that S, < 

By Lemma 6.1 we have that for all i, 1 < S, < 2”^^, and by Lemma 2.5 we have that, 1 < Ri < 
2”/^. Note that 

0(z + l) ■0(/ + 3) _ Ri 


S;+l 


0 (/ + 2)2 


R 


i+l 


Therefore, 


>n/2 


> 


R 


Ro Ri 


i+i 


r=o ^'+1 


£ c2 c2 (. ^ ^ 

=ne7 = |rTns.£^ns-. 

i =0 ‘^' + 1 ‘^^+1 ! = 1 ^ 1 = 1 


where the first inequality uses Rq < 2"^^ and Rf+i > 1, and the last inequality uses So > 1 and 
Sf+i < 2"/^. The result then follows. □ 


Finally, we have the following corollary, which follows immediately from Lemmas 6.1 and 6.2 


and Lemma 2.6 The corollary shows that, if c G R/ (2R) contains a closest vector to t and we sample 
from Dc-t,s for many different values of s, then c — t will have relatively high weight for at least one 
parameter s. 

Corollary 6.3. For any lattice C CRP and t G R”, let j ^ C a closest vector to t in C. Then, for any s > 0 
and integer £ > 0, there exists an integer 1 < i < £ such that 


T , <c 6/:/(27:) P2-'/2s(c - t) nraX£g£/(2£) P2-''/2s(c - t) 3n 

1 < -G— -^- < - ;—^;-r < 2^^ . 


max„ 


P2-i/2,{2C + Y - t) 


P2-'/2s(y-t) ■P2-/2 s(2^) 
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6.2 The cCVP algorithm 

With Corollary |6.3[ it is almost immediate that the algorithm from Theorem |4.7| yields a solution to 
cCVR Below, we make this formal. 

Theorem 6.4. For any efficiently computable function f{n) > there is an algorithm that solves 

{1 /f {n))-cCVPP with probability at least 1 — 2^^"^ in time 2 "+ 0 (iog«iog/(n)+ji/iog/(n))^ where p{n) := 
poly(n) ■ 


Proof. On inp ut a lattice C C IR” and shift t G R”, the algorithm first calls the procedure from 


Corollary 4.8 to computed with dist(t,£)/2 < d < dist(t,>C). Let s := d/ (n^/(n)). Fori = 0,... 


[log 10/(n)], the algorithm runs the procedure from Theorem |4.7| n^ • [2”^^] times with input C, t, and 
Si := 2“*/^s, receiving as output a total of > n^2”/^ •/«(£ — t,S;) vectors (X; i,..., X, G C — t. 
(We may assume that m, < n^2” • [2”^^], since we can trivially truncate the output of each run at 
2" > m{C — t,S;) vectors.) For each i,], let yiy := X,y + t G £. Finally, the algorithm outputs the y,;/. 


4.7 


The running time is dominated by the running time of the applications of Theorem 

So, the algorithm runs in time The valuelor 

p{n) follows from the assumed bound on nii. _ 

To prove correctness, first note that by Theorem 4.7 up to statistical distance we may as 


sume that the Xj^ are distributed exactly as independent discrete Gaussians D£_t s.. Then, by Corol- 
lary |2.8[ all of the output vector s ar e (1 +1 //(n) )-approximate closest vectors except with probability 
at most 2^^”^. So, by Corollary |5.4} it suffices to show that with high probability there is some i,j such 
that Yiy is in the same coset mod 2C as a closest vector y G £ to t. Fix i as in Corollary |6.3[ Then, for 
any;. 


Pr[yy = y (mod 2C)] = 


Psf2C + Y-i) 

1 psf2£ + y-t) 


m(£-tSi) maxcg^/(2£)ps;(c-t) 


n22"/^ 3« 

>-2^« 


> 


mi 

2n^ 

nti 


(Corollary |6.3[ ) 


The result follows by recalling that the yiy are independent. □ 

We obtain our main result as a corollary. We note in passing that a simple union bound shows that 
the algorithm from Theorem |6.4| actually finds a nearby vector for each closest lattice vector. Together 
with the remark above Theorem |5.7} this shows that we can actually find all closest vectors in time 

2»! + o(«) 


Corollary 6.5. There is an algorithm that solves exact CVP (with high probability) in time 2”+®(" 


Proof. Combine the algorithm from Theorem 


6.4 


with f{n) := with the reduction from 


Theorem |5.7| with 3 := 2 f 3. (By applying a union bound over all oracle calls in the reduction, we see 
that the error is not an issue.) □ 
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A Proof of Lemma l4.1l 

Proof of Lemma [4T| Multiplying the left-hand side of Q by Pr^x, [^1 + X 2 e 2/: - 2t], we get 

for any y G £ — t, 

Pr [(Xi + X2)/2 = y] = ^ ^ ps{x)ps{2y - x) 

_ Ps/ \/2(y) 

Ps(/:-t)2 • 

Hence both sides of (Q are proportional to each other. Since they are probabilities, they are actually 
equal. □ 


B Proof of Proposition |4.2| 

Proof of Proposition \4.2\ Let (Xi,.. .,Xm) be the input vectors. For each i, let c; G LI {2L) be such 


that X; G c, — t. The combiner runs the algorithm from Theorem 2.14 with input k and (ci,..., cm). 


receiving output (c [,... ,c^). (Formally, we must encode the cosets as integers in {1,... ,2”}.) Finally, 
for each c(, it chooses a pair of unpaired vectors Xy, Xj. with cy = = d- and outputs Y,- = (Xy -|- Xjt) /2. 

The running time of the algorithm follows from Item of Theorem 2.14 Furthermore, we note 
that by Itemof the same theorem, there will always be a pair of indices j, k for each i as above. 

To prove correctness, we observe that for c G £/ {2L) and y G c — t. 


Pr[X; = y] = 


Ps{c-i) 


Ps{L-t) X~Dc 


Pr [x = y] 


In particular, we have that Pr[c, = c] = ps{c — t)/ps{L — t). Then, the cosets (ci,..., cm) satisfy the 
conditions necessary for Item of Theorem 2.14 


Applying the theorem, up to statistical distance M exp(Cin — C 2 K), we have that the output vec¬ 
tors are independent, and 

'■ Ec 6/:/(2/:) Ps(c -1)^ 


m> M- 


= M 


32 k ps(/:-t)maXcg^/(2/:)Ps(c-t) 

1 _ Ps/Vl^^) ' Ps/Vli^ ~ 

32k Ps{L - t) max,g£/( 2 £) ps{c - t) ' 


where the equality follows from Lemma [3.1| by setting x = t, and y = 0. Furthermore, we have 
Pr[c- = c] = ps(c — t)^/ ps(c' — t)^ for any coset c G £/ (2L). Therefore, for any y G £, 

Fr[Y, =y]= ■ X] fx x= y] 

LPs[c tj ceC/{iC) 

= Pr [(Xi + X2)/2 = y |Xi+X2G2/:-2t] . 

(Xi,X2)~D2_,^^ 


The result then follows from Lemma 14.11 


□ 
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